DHS aware of imported electronics pre-loaded with malware

Testifying before the House Oversight and Government Reform Committee, acting deputy secretary of the DHS National Protection and Programs Directorate Greg Schaffer admitted on the record the that DHS is aware of instances were electronics imported into the United States have been pre-loaded with malware, spyware, and other cyber-security threats, and that both the DHS and the White House have been aware of the threat for some time.

When repeatedly asked a “softball” question by Utah representative Jason Chaffetz (R) whether he was aware of instances where foreign-manufacturers software or hardware components had been intentionally embedded with security risks, Schaffer hesitatingly stated “I am aware of instances where that has happened.”

The focus of the Oversight and Government Reform Committee is more on infrastructure—systems that control power grids, water and hydro systems, emergency communications, and government response rather than consumer electronics.

Schaffer did not offer any details on the nature of the compromised technology, but did emphasize that many American-made systems use components from foreign manufacturers. The implication is that foreign agencies or interests are using international suppliers to get compromised software and equipment into the supply chain, potentially laying the groundwork for cyberattacks against U.S. infrastructure systems or even everyday consumers. The attacks could take the form of security holes that provide access to sensitive and/or classified information, or could potentially provide a foreign power the ability to cripple portions of the U.S. infrastructure, causing significant economic damage to the country.

Schaffer has an extensive background in private sector cybersecurity and managing communications infrastructure.

The White House’s recent Cyberspace Policy Review (PDF) recently hinted at the same vulnerability, noting that while consumers are most likely to be targeted by counterfeit products, supply chain attacks “might narrowly focus on particular systems and make manipulation virtually impossible to discover.”

Schaffer’s testimony before the committee was to discuss a proposal that would offer incentive for private sector organizations to share security-related information with the federal government.